Mar 2011
March 2011 - Protect Yourself
30/03/11 22:49
Protect Yourself:
March 2011 edition of Protect Yourself.
This issue focuses on data security:
http://projects.mediaplanet.com/uk/ethical_livng_1_7532/done_paper/protect_small.pdf Read More...
ISSD 2011 Conference
23/03/11 21:28
CAMM are proud to announce our Partnership with this ISSD 2011. Details of the event and the Programme are available from the web site (www.issdconference.com) Read More...
The cost of saving money – no longer the company reputation.
06/03/11 18:24
This article first appeared in Network Security magazine http://www.elsevierscitech.com/nl/ns/home.asp Read More...
Assess, Measure, and Qualify the Security of Cloud Service Providers.
06/03/11 18:24
Late Friday afternoon, you are the CISO contemplating the advancing weekend, when your phone rings – The CEO asks ‘If we migrate critical services into this new Cloud thing, how can we assure security?’ He then informs you that he is running late for his golfing trip, so no need to rush the answers, Monday morning will be fine! Read More...
The word on the CIO's lips today is Cloud
06/03/11 18:23
The word on the CIO's lips today is Cloud. They are asking questions like -
- How may Cloud be leveraged to drive a smarter, more agile business.
- Will Cloud be economical when measured against conventional technologies?
- Will Cloud meet the demands of the Business, and Clients? And then there is that famous question posed by Dustin Hoffman's Dentist
- Is It Safe?
Cloud Computing Legal Issues
06/03/11 18:22
Cloud computing seems an unavoidable fast-pace revolution. Analysts estimate that in 2012, the size of the enterprise cloud-computing business may reach $60 billion to $80 billion – or about 10% of the global IT-service and enterprise-software market (BCG 2009 Capturing the Value of Cloud Computing). Such revolution brings about a lot of benefits but also several legal concerns. As Des Ward rightly wrote in his article The cost of saving money – no longer the company reputation: “[w]hilst the immediate instinct is to just look at the cost saving, it’s simply not possible to reduce costs and transfer all your risks at the same time.” Read More...
Cloud Computing Legal Issues: An Overview (Part 1/2)
06/03/11 18:21
Cloud computing can be defined as the ultimate expression of outsourcing. Whereby the customer contracts out to the cloud service providers (CSPs) computing resources (e.g., networks, servers, storage, applications, and services), which are fundamental to run customer’s business. Inevitably, the stability and the results of customer’s business become very dependent from the CSP correct performance. Moreover, considering that the services provided by CSP are mainly e-mail, messaging, desktops, account and finance, payroll, customers’ billing, project management, CRM, sales management, and custom application development, a significant number of customer’s critical information and personal data may circulate in the cloud and thus be managed/processed by the CSP.
Read More...
Read More...
Cloud Computing Legal Issues: An Overview (Part 2/2)
06/03/11 18:20
The main legal concerns related to the cloud model are related to data protection and data security; confidentiality of the information and intellectual property; law enforcement access; cloud service providers (CSPs) professional negligence; subcontracting of cloud services and CSP change of control; and ‘vendor lock in’ (ENISA 2009 Cloud Computing Risk Assessment). Read More...
ISSA UK panel about CAMM
06/03/11 18:20
ISSA UK chapter will host a panel discussion about CAMM on 9th September 2010 in London More details about the event and how to register can be located on ISSA UK web site. Read More...
Cloud Computing Legal Issues: When does Directive 95/46/EC Apply?
06/03/11 18:19
As anticipated, this and the forthcoming articles will be dedicated to data protection and data security issues related to cloud computing.
Personal data are usually processed in the cloud. In Europe, processing of personal data is mainly regulated by the Directive 95/46/EC, which is currently under revision. The Directive imposes quite stringent duties and obligations on the actors of such processing, mainly on the ‘Controller’ but also on the ‘Processor’). Given the above, the fact that personal data can be rapidly transferred by the cloud service providers (CSPs) from one datacenter to another and that the customer has usually no control or knowledge over the exact location of the provided resources (the ‘location independence’ concept described in the article Cloud Computing Legal Issues: An Overview (Part 1/2)), understandably stimulate customers’ concerns on data protection and data security compliance. Read More...
Personal data are usually processed in the cloud. In Europe, processing of personal data is mainly regulated by the Directive 95/46/EC, which is currently under revision. The Directive imposes quite stringent duties and obligations on the actors of such processing, mainly on the ‘Controller’ but also on the ‘Processor’). Given the above, the fact that personal data can be rapidly transferred by the cloud service providers (CSPs) from one datacenter to another and that the customer has usually no control or knowledge over the exact location of the provided resources (the ‘location independence’ concept described in the article Cloud Computing Legal Issues: An Overview (Part 1/2)), understandably stimulate customers’ concerns on data protection and data security compliance. Read More...
In the new: EU security agency to launch tool to evaluate cloud security
06/03/11 18:19
Brian Honan, CAMM COO, speaks to SiliconRepublic about CAMM.
http://www.siliconrepublic.com/strategy/item/17700-eu-security-agency-to/ Read More...
http://www.siliconrepublic.com/strategy/item/17700-eu-security-agency-to/ Read More...
Cloud Computing Legal Issues: How are Data Protection Roles (i.e., Data Controller and Data Processor) Distributed in the Cloud Environment, and thus the Related Duties, Obligations, and Possible Liabilities?
06/03/11 18:18
It is necessary to identify the Controller, the Processor and their interaction in order to determine “who is responsible for compliance with data protection rules, how data subjects can exercise their rights, which is the applicable national law and how effective Data Protection Authorities can operate” (Article 29 Data Protection Working Party: Opinion 1/2010 on the Concepts of “Controller” and “Processor”).
The Directive 95/46/EC imposes, in fact, the main duties and obligations concerning personal data processing upon the Controller. More precisely, these are:
a) processing the personal data according to the principles of fairness, lawfulness, finality, adequacy, proportionality, necessity, and data minimisation (Article 6);
b) processing the personal data after having obtained the data subjects unambiguous consent, unless one of the causes of exclusion of the consent is met (Article 7);
c) processing the personal data after having provided the data subject with the necessary information (Article 10);
d) guaranteeing the data subject the rights laid down in Article 12 - e.g., to obtain confirmation as to whether or not data relating to the data subject is being processed, to obtain information on the purposes of the processing, the categories of data concerned, the recipient or categories of the recipients to whom the data are disclosed; to rectify, erase or block the data processed in a way which is not compliant with the provision of the Directive; etc. – (Article 12);
e) implementing appropriate technical and organizational security measures to protect personal data against accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing (Article 17);
f) choosing a Processor that provides sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures (Article 17);
g) transferring of personal data to ‘third countries which do not ensure an adequate level of protection within the meaning of Article 25 (2) only in case the data subject has given the previous consent unambiguously to the proposed transfer or under the condition that other procedures are in place as per Article 26 (e.g., ‘Model Contracts for the transfer of personal data to third countries’, ‘Safe Harbor Principles’ – if the data are transferred to the United States, or ‘Binding Corporate Rules’) (ENISA 2009 Cloud Computing Risk Assessment).
According to the definitions of the Directive, the distinction between Controller and Processor is fairly clear. The Controller is the one who determines purposes and means of the processing of personal data. The Processor is the one who processes personal data on behalf of the Controller. Applying such definitions to the cloud-computing environment is quite challenging. At first sight one may say that the customer is the Controller and the cloud service provider (CSP) the Processor (ENISA 2009). Nevertheless, CSPs often determine the means and sometimes also the purposes of the processing – falling thus under the definition of Controller. On 16 February this year, the Article 29 Data Protection Working Party adopted an opinion specifically on the concepts of Controller and Processor, whereby the Working Party has tried to provide some guidance to interpret such definitions in complex environments (Article 29 Data Protection Working Party: Opinion 1/2010). However, in a cloud-computing environment it remains quite unclear and such roles still need to be determined on a case-by-case basis, in the view of the nature of the cloud services. This has actually been confirmed by the European Data Protection Supervisor, Peter Hustinx, in his speech Data Protection and Cloud Computing under EU Law on 13 April 2010, where he called for further guidance from the Working Party on the matter. In this respect, it is noticeable that cloud computing is on the Working Party agenda in 2010 and 2011. It is also worth pointing out that on 18 June 2010 the Data Protection Authority of the German Region Schleswig-Holstein issued a legal opinion on Cloud Computing that, among other topics, addressed also the legal basis for cloud computing and related Processor and Controller issues. The key points of such legal opinion will be analysed in one of the forthcoming articles.
Anyway, CSPs and customers should carefully evaluate their data protection roles, respective duties and obligations and relevant liabilities before entering into a contractual relationship. Failure to comply with the Directive 95/46/EC may lead to administrative, civil and also criminal sanctions, which varies from country to country, for the Controller. Such sanctions are mainly detailed in the relevant statutory instruments by which the Directive has been implemented in the various EU Member States.
Paolo Balboni – ICT Lawyer: www.paolobalboni.eu. Steering Committee Member of the Common Assurance Maturity Model (CAMM). Selected Legal Consultant for the European Networks and Information Security Agency (ENISA) studies: Cloud Computing Risk Assessment and Security and Resilience in Gov Clouds. Board Member of the European Privacy Association and of the Italian Institute for Privacy. Lecturer at Tilburg University on Liability of Web 2.0 Service Providers.
The Directive 95/46/EC imposes, in fact, the main duties and obligations concerning personal data processing upon the Controller. More precisely, these are:
a) processing the personal data according to the principles of fairness, lawfulness, finality, adequacy, proportionality, necessity, and data minimisation (Article 6);
b) processing the personal data after having obtained the data subjects unambiguous consent, unless one of the causes of exclusion of the consent is met (Article 7);
c) processing the personal data after having provided the data subject with the necessary information (Article 10);
d) guaranteeing the data subject the rights laid down in Article 12 - e.g., to obtain confirmation as to whether or not data relating to the data subject is being processed, to obtain information on the purposes of the processing, the categories of data concerned, the recipient or categories of the recipients to whom the data are disclosed; to rectify, erase or block the data processed in a way which is not compliant with the provision of the Directive; etc. – (Article 12);
e) implementing appropriate technical and organizational security measures to protect personal data against accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing (Article 17);
f) choosing a Processor that provides sufficient guarantees with respect to the technical security measures and organisational measures governing the processing to be carried out, and ensuring compliance with those measures (Article 17);
g) transferring of personal data to ‘third countries which do not ensure an adequate level of protection within the meaning of Article 25 (2) only in case the data subject has given the previous consent unambiguously to the proposed transfer or under the condition that other procedures are in place as per Article 26 (e.g., ‘Model Contracts for the transfer of personal data to third countries’, ‘Safe Harbor Principles’ – if the data are transferred to the United States, or ‘Binding Corporate Rules’) (ENISA 2009 Cloud Computing Risk Assessment).
According to the definitions of the Directive, the distinction between Controller and Processor is fairly clear. The Controller is the one who determines purposes and means of the processing of personal data. The Processor is the one who processes personal data on behalf of the Controller. Applying such definitions to the cloud-computing environment is quite challenging. At first sight one may say that the customer is the Controller and the cloud service provider (CSP) the Processor (ENISA 2009). Nevertheless, CSPs often determine the means and sometimes also the purposes of the processing – falling thus under the definition of Controller. On 16 February this year, the Article 29 Data Protection Working Party adopted an opinion specifically on the concepts of Controller and Processor, whereby the Working Party has tried to provide some guidance to interpret such definitions in complex environments (Article 29 Data Protection Working Party: Opinion 1/2010). However, in a cloud-computing environment it remains quite unclear and such roles still need to be determined on a case-by-case basis, in the view of the nature of the cloud services. This has actually been confirmed by the European Data Protection Supervisor, Peter Hustinx, in his speech Data Protection and Cloud Computing under EU Law on 13 April 2010, where he called for further guidance from the Working Party on the matter. In this respect, it is noticeable that cloud computing is on the Working Party agenda in 2010 and 2011. It is also worth pointing out that on 18 June 2010 the Data Protection Authority of the German Region Schleswig-Holstein issued a legal opinion on Cloud Computing that, among other topics, addressed also the legal basis for cloud computing and related Processor and Controller issues. The key points of such legal opinion will be analysed in one of the forthcoming articles.
Anyway, CSPs and customers should carefully evaluate their data protection roles, respective duties and obligations and relevant liabilities before entering into a contractual relationship. Failure to comply with the Directive 95/46/EC may lead to administrative, civil and also criminal sanctions, which varies from country to country, for the Controller. Such sanctions are mainly detailed in the relevant statutory instruments by which the Directive has been implemented in the various EU Member States.
Paolo Balboni – ICT Lawyer: www.paolobalboni.eu. Steering Committee Member of the Common Assurance Maturity Model (CAMM). Selected Legal Consultant for the European Networks and Information Security Agency (ENISA) studies: Cloud Computing Risk Assessment and Security and Resilience in Gov Clouds. Board Member of the European Privacy Association and of the Italian Institute for Privacy. Lecturer at Tilburg University on Liability of Web 2.0 Service Providers.
Cloud Computing Legal Issues: Which Data Security Measures Need to be Applied?
06/03/11 18:17
Data integrity and data availability are two extremely important elements in the provision of cloud-computing services (KPMG 2010 From Hype to Future). However, one has to keep in mind that there is an inevitable trade-off here: more data security is likely to lead to reduce availability, in other words, too much security kills performance (ENISA 2009 Cloud Computing Risk Assessment and Council of Europe 2010 Read More...
Cloud Computing Legal Issues: What are the Possible Ways to Lawfully Transfer Personal Data to Countries outside the European Economic Area (EEA)?
06/03/11 18:17
Cloud models entail that customer information and data are often transferred by the cloud service provider (CSP) from one datacenter to another that can be located anywhere in the world. However, the Directive 95/46/EC prohibits transfers of personal data to countries which do not ensure an adequate level of protection within the meaning of Article 25 (2). Unless the data subject has given the previous consent unambiguously to the proposed transfer or under the condition that other procedures are in place as per Article 26 (e.g., ‘Model Contracts for the transfer of personal data to third countries’, ‘Safe Harbor Principles’ – if the data are transferred to the United States, or ‘Binding Corporate Rules’).
Read More...
Read More...
Presentation at NCC
06/03/11 18:16
Tuesday 21st September in Manchester
Another sunny evening in Manchester, coupled with the regal surrounds of the once (Northern) end of the Midland Railway mellowed the atmosphere ready for a discussion of getting the nuggets of good practice out of the silt of audit. Read More...
Another sunny evening in Manchester, coupled with the regal surrounds of the once (Northern) end of the Midland Railway mellowed the atmosphere ready for a discussion of getting the nuggets of good practice out of the silt of audit. Read More...
Cloud Computing Legal Issues: Some Conclusive Remarks
06/03/11 18:15
Cloud computing seems an unavoidable fast-pace revolution (BCG 2009 Capturing the Value of Cloud Computing). The analysis carried out in the last eight short articles has showed that cloud-computing services are bringing quite a number of legal concerns together with unquestionable economic benefits. Special attention has been dedicated to data protection and data security matters, by far the biggest issues for cloud service providers (CSPs) and (potential) customers (KPMG 2010 From Hype to Future). Read More...
Cloud Computing Legal Issues: How can Data Subject Rights be Guaranteed?
06/03/11 18:15
It was already pointed out in the article Cloud Computing Legal Issues: How are Data Protection Roles (i.e., Data Controller and Data Processor) Distributed in the Cloud Environment, and thus the Related Duties, Obligations, and Possible Liabilities? that the Controller has the obligation of guaranteeing the data subject the rights laid down in Article 12 of the Directive 95/46/EC – e.g., to obtain confirmation as to whether or not data relating to the data subject is being processed, to obtain information on the purposes of the processing, the categories of data concerned, the recipient or categories of the recipients to whom the data are disclosed; to rectify, erase or block the data processed in a way which is not compliant with the provision of the Directive; etc. Read More...
Crimeware-as-a-Service
06/03/11 18:14
There is no doubt that the ingenuity of Cyber Criminals has always been ahead of the game. In many cases this can leave the less than prepared Security Professional/Organisation left playing Cat-and-Mouse, and open to exploitation, and vulnerabilities! Read More...
CAMM Vision document
06/03/11 18:13
CAMM Steering group has issued version 1.0 of the Vision guidance document. You can download it in PDF format here. Read More...
Security and Privacy in Cloud Computing
06/03/11 18:12
If you have followed the series of blog posts from Paolo Balboni you may be interested in the final paper that summarises the legal and privacy concerns with cloud computing. Read More...